su

Command

The su command is used to create a new process as a
different user.
The default user is Administrator.
A fully qualified user name containing an appropriate domain may be given.

Other arguments may be given after the user name; they are passed as arguments
to the shell.

Under 7/2008R2/8/2012/10/2016, you are prompted on the terminal to enter the required password.
A new shell process is created in the same console window, but it is run with
a process token for the specified user.
The SHELL environment specifies which shell is used to
run this process.

The environment of the new shell is that of the calling process,
unless the - option is given.

The su command remains around waiting for the child shell
process to return, and unloads that user's registry hive when it returns
(assuming that it did the load, and it was not already loaded).

7/2008R2/8/2012/10/2016 security does not permit the changing of a user lightly!
Three different privileges are required to run this command:

Increase quotas (SeIncreaseQuotaPrivilege)
Replace a process level token (SeAssignPrimaryTokenPrivilege)
Act as part of the operating system (SeTcbPrivilege)

su tries to enable these privileges if they are not enabled.
Thus, if you are in an Administrator group, you won't have to explicitly
enable these privileges.
However, if you are not in a group such as the Administrator group that allows
you to enable these privileges, you must have a user in such a group
enable these privileges for you. This privileges can be enabled using
standard Windows methods or by using the priv utility.

As part of its operation, su tries to set up the user's
registry hive (that is, HKEY_CURRENT_USER). If this operation
fails, su continues after warning the user about the
failure.

To avoid seeing the same warning messages over and over, you can take the
following actions:

If warned about the SeRestorePrivilege privilege, you need to
have this privilege enabled. This privilege is automatically enabled by
su if you are in a group that allows it to be enabled.

If warned about not being able to locate the user profile, you must log on
as the target user, so that the system can create a user profile for the target
user.

Note:

On Windows 7/2008R2/8/2012/10/2016, when you run su with User Access
Control (UAC) enabled, you are prompted to permit the program to run
using your unrestricted token so that it may gain the privileges and
permissions needed to impersonate another user.

runs the shell as a login shell.
In this case, the -L option is passed to the shell,
and the environment is built from the registry as if the user were newly
logged onto the system.
7/2008R2/8/2012/10/2016 also has a per-user registry hive which is loaded for the newly
logged on user; per-user environment information is also loaded from this
part of the registry.

-l

does not load the per-user registry hive.

-ppasswd

allows you to specify the new user's password on the command line.
However, be careful with this feature as specifying passwords in scripts
can pose a security risk.